I taint rich! (Raw txn fun and disrupting 'taint' analysis; >51kBTC linked!)

[dooglus]

Couldn't we use some of the more interesting signature types (ANYONECANPAY or something like that)? People could sign a transaction with their one input they're putting in, their output to themselves that they care about, 1 BTC to you, and you then just add your 1 BTC input from any transaction you want.

If we use "SINGLE|ANYONECANPAY" then we can each make a transaction with 1 input and 1 output which just sends our BTC to ourselves, and gmaxwell can combine them all into a single transaction.  I think.

"SINGLE" meaning "I don't care who else gets paid, so long as I get my BTC", and "ANYONECANPAY" meaning "I don't care who else pays, so long as I pay my BTC".

[1714794337]

1714794337

[1714794337]

1714794337

[1714794337]

1714794337

[1714794337]

1714794337

[1714794337]

1714794337

[1714794337]

1714794337

[pc]

If we use "SINGLE|ANYONECANPAY" then we can each make a transaction with 1 input and 1 output which just sends our BTC to ourselves, and gmaxwell can combine them all into a single transaction.  I think.

I think so too, although "taint analysis" tools should be able to exclude those transactions really simply as not being indicative of all the inputs having the same owner. Though if the point is to demonstrate how simplistic the tools are at this stage, that might be good to try anyway just to force them to adapt.

[gmaxwell]

This could also be used to reduce the damage from deanonymization attacks, like this appears to be: https://bitcointalk.org/index.php?topic=254615.40

[Inedible]

Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses.

Did you ever find out about this, WiW?

[gmaxwell]

Another thing I don't understand is that if all participating members have to sign the outgoing transaction, wouldn't that be a system prone to abuse? I'd put my bitcoin in the pool, but if there are 1,000 other participants I can just forget my bitcoin and never agree to sign a txn that would free those bitcoins and everyone loses.

Did you ever find out about this, WiW?

To solve that you need to layer on something to prevent DoS attacks.  There are a bunch of different ways to do that... but they all basically amount to schemes that in order to play you need to have some kind of valuable "identity" (might just be evidence that you paid a lot of bitcoin txn fees or donated to some charity). And if the mix fails you blacklist the identity that jammed it up and you restart. You can adjust how intensive the blacklisting is and how expensive the identity is based on how hard the mixing is being attacked.

Putting your bitcoin in the pool doesn't actually take it out of your control until the transaction is signed by everyone and announced, it's atomic— so if it gets jammed the bitcoin is still yours and you can simply spend it again— either in another attempted mix round or someplace else entirely.  (and spending a coin out from under the process is one of the ways someone might be jamming it, but thats even more reliably detectable than not signing)

Most recently I wrote this on the subject.

[ShadowOfHarbringer]

Ever since I was a wee lad I've had a dream .... a dream of being incorrectly assessed as impossibly rich by brain-dead automated analysis.  Now with your help I can be!

Here is how it works:  A lot of people mistakenly assume that when a transaction spends from multiple addresses all those addresses are owned by the same party.  This is commonly the case, but it doesn't have to be so: people can cooperate to author a transaction in a secure and trustless manner.   We can make it a lot easier for people making this mistake to discover their folly by making there be a single address that seems linked to everything.

So basically you created another ZeroCoin, but working using obfuscation technique and easier to perform (without requiring a lot of code) ?
Is this brilliant or what ?

[gmaxwell]

So basically you created another ZeroCoin, but working using obfuscation technique and easier to perform (without requiring a lot of code) ?

Yes, this transaction style can achieve some similar outcomes but it doesn't require computationally expensive / difficult to trust novel cryptography, and it doesn't require changing the Bitcoin network nor does it require an altchain. Not does it require a trusted initiator. And it should have much better scalability for small mixing groups.

On the flip side, making it into something useful to many people still requires a lot of development, and potentially a little bit of novel cryptography (e.g. even zerocoin itself) to prevent denial of service... but that stuff would be external to Bitcoin— just software the users need to worry about, not everyone. And it would handle large anonymity sets poorly, the practical limit is probably on the order of a hundred or so parties in a transaction... though funds could go through multiple levels of common sending.

I personally think joint transactions a much more realistic technology for improving Bitcoin privacy and preserving Bitcoin fungiblity than Zerocoin is, at this time.  Though zerocoin certainly is more crypto-mathematically exciting.  Though I suspect that people's lack of interest in techniques like this (note the date on the original post) suggests that people don't really consider the privacy/fungiblity problems as bad as the hype around ZC suggests they do.  Maybe if I'd given the thread a snazzy name like "INVISIBLE HAND" people would be more excited.

[giszmo]

Huh??? How does a system that is based on meeting with others to forge a mix have anything to do with ZeroCoin? ZeroCoin allows you to add a coin to the mix at any time and pull it out later without the two events being connected by knowable links.

[luv2drnkbr]

Toasting in epic bread.

Seriously, I love this idea and this community.

[marcus_of_augustus]

Good stuff. One of these anonymity/privacy/fungibility projects is going to be so successful that it will become the default because anything else is just too stupid to contemplate ... like a sharp knife is the default ahead of a blunt one, and all the evil hair-splitting and moral obfuscation of what money needs to be to work properly will be bad memories in the dustbin of history.

[gmaxwell]

Huh??? How does a system that is based on meeting with others to forge a mix have anything to do with ZeroCoin? ZeroCoin allows you to add a coin to the mix at any time and pull it out later without the two events being connected by knowable links.

None of this requires that the 'meeting' of the participants be synchronous.  You could happily announce your intention to form a mixing transaction into a long lived broadcast communication channel (gah, even a blockchain, though thats about the worst communication channel for this).   You connect separately to provide your outputs, and later to sign the resulting transactions. Of course, you must anonymize your communications channels— but the same is true for ZC, if a network observer sees you making the redeem they know who redeemed.

The primary limitation is that when the number of participants becomes high in a single joint transaction the failure (and retry) rate would become unacceptably high.  But you don't need enormous mixing operations since you can cascade them.  (How retries compare to systems that require serialization of mints and spends is an interesting question).

[gmaxwell]

I've just made a detailed post about the privacy promoting uses of this technique.

[Dabs]

I haven't kept up with the coinjoin thread, but ... assuming people could trust either one individual or one entity or even 2-of-3 multisignature addresses, can a bunch of people just send coins to that one person, and he sends it to himself (consolidating all the unspent inputs into 1 output), then send them all back out to the same bunch of people (at different addresses), and this is effectively mixed?

Let me rephrase that in steps:
1. many people send coins to, for example you, 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait 6 confirmations.
2. you then use some form of raw transaction or coin-control to get all the unspent inputs, then spend them all back to 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait another 6 confirmations.
3. then you send the coins back to their original owners.

Of course, this method is flawed in that they (the people) have to trust you. But a service could do this and charge 1% or something, like blockchain or bitcoin fog used to (they really did mixing by not connecting users to each other.)

[gmaxwell]

This requires handing your funds over to some third party. Who then themselves learns the correspondence, which they could secretly log due to coercive pressure or just for profit. The activity might subject them to various oddball regulations about handling other people's money, and if they're the sort of organization which is hidden from the law— they'll also be hidden from the consequences of vanishing with your money, it makes for a good long con. The cost of gaining confidence would constitute a barrier to enter the market, keeping fees high.

The end result is that you have an "anonymization" service that mostly only fools and criminals would be very inclined to use and thus it wouldn't increase user's privacy a lot.

The point of this thread was to show that transactions could be made with defied and disrupted 'taint analysis' without putting your coins at risk in the hands of a third party, and to have a little fun in the process.

[Dabs]

The cost of gaining confidence would constitute a barrier to enter the market, keeping fees high.

that is sort of re-assuring. Maybe I could do this and charge 1.9%.

Like Satoshidice. Except you always win with 100% chance.

And it would still be fun. Heheheh.

[Ente]

I haven't kept up with the coinjoin thread, but ... assuming people could trust either one individual or one entity or even 2-of-3 multisignature addresses, can a bunch of people just send coins to that one person, and he sends it to himself (consolidating all the unspent inputs into 1 output), then send them all back out to the same bunch of people (at different addresses), and this is effectively mixed?

Let me rephrase that in steps:
1. many people send coins to, for example you, 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait 6 confirmations.
2. you then use some form of raw transaction or coin-control to get all the unspent inputs, then spend them all back to 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB, wait another 6 confirmations.
3. then you send the coins back to their original owners.

Of course, this method is flawed in that they (the people) have to trust you. But a service could do this and charge 1% or something, like blockchain or bitcoin fog used to (they really did mixing by not connecting users to each other.)

Maybe I'm misunderstanding here, or am missing something:
Why the extra step to "send all inputs to one adress" and then split them up again?
As far as I remember, coinjoin does exactly the same thing you suggest, except it creates one huge transaction, where everybody throws inputs at it, defines new, "anonymous" outputs, and signs the whole tx when they are happy with the result. It's either all or nothing, the coins can't be taken in between. Also there is no central point whatsoever. Except, for convenience, a central point to organize all the people and inputs, outputs and the like.
I see a market for such a central point. TOR and anonymity would be fine too, an .onion address would in fact be helpful. I'd throw a small fee at it too.

Ente

[Dabs]

Maybe I'm misunderstanding here, or am missing something:
Why the extra step to "send all inputs to one adress" and then split them up again?
As far as I remember, coinjoin does exactly the same thing you suggest, except it creates one huge transaction, where everybody throws inputs at it, defines new, "anonymous" outputs, and signs the whole tx when they are happy with the result. It's either all or nothing, the coins can't be taken in between. Also there is no central point whatsoever. Except, for convenience, a central point to organize all the people and inputs, outputs and the like.
I see a market for such a central point. TOR and anonymity would be fine too, an .onion address would in fact be helpful. I'd throw a small fee at it too.

Ente

Step 2 in my method is supposed to combine all the unspent inputs into one giant input. That mixes all the coins together. Coins in the same address from different inputs are not necessarily mixed yet.

Bitcoin works with inputs, regardless of addresses. One address can have several unspent inputs, and this is going to be the case when many people send to one address.

[QuestionAuthority]

This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning?

[madmadmax]

This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning?

If a bank issues liabilities (e.g. paper notes) and you get yours stolen it doesn't mean that the bank has to render your stolen notes worthless for it would make all the paper notes ever printed to fall in value. Same thing with BTC, if you lost it then it's your fault for being a n00b, it's not his fault for tainting rich.

[QuestionAuthority]

This is interesting. Let's say I had 10k stolen btc that I wanted to launder. I could send them to you and when they return to me they would be linked to your well known address as well as all of the other addresses in the mixing group. Wouldn't that just give investigators more work instead of eliminating the trail entirely? Possibly make the mixing group accessories to the crime? With thousands of participants would it be very difficult to parse the transactions or impossible? Couldn't you still analyze the transactions and track down individual Bitcoin users that need questioning?

If a bank issues liabilities (e.g. paper notes) and you get yours stolen it doesn't mean that the bank has to render your stolen notes worthless for it would make all the paper notes ever printed to fall in value. Same thing with BTC, if you lost it then it's your fault for being a n00b, it's not his fault for tainting rich.

It must be happy hour?